6.0 Logging Basics

Auditing, accounting, logging -- call it what you will, these are things used to create permanent or semi-permanent records of events on a system. Unfortunately, these can record your intrusion activities, sometimes in explicit and evidence-worthy detail. Therefore, potential intruders should not only be aware of what record keeping is available (either as a regular feature of the system or as add-ons) and have possible methods for defeating such recordings.

Some types of logging include simple text files with entries showing logins and logouts, maybe failed logins. Others show what programs were accessed, which programs were attempted to be run and the request failed, or keep track of an individual's disk usage. All can reveal info that can allow an administrator to reconstruct an attack.

Admins generally prefer to use simple logging techniques so as not to
pile onto their current workload. Logs take up space. Large log files are sometimes very difficult to sift through as sys admins are looking for problems. These logs are usually stored in directories generally protected from casual viewing, or at least editing.

Typically log files do not disappear. This might lead a curious sys
admin to poke around looking for problems, and the paranoid sys admin to
look for intruders. The logs should be edited if possible, or the entries made into them made to look as normal as possible.